The controls we operate today — not a roadmap dressed up as the present. If it isn't here, it isn't in production yet.
tenant_id predicate, backed by foreign-key constraints and a cross-tenant integration test suite, with Row-Level Security rolling out table-by-table as a backstop.Production orgs are rejected at connect time by an org-type gate. We connect to a sandbox over OAuth — nothing is installed in your org.
Runs use a dedicated automation user with the minimum permissions needed. Privileged/admin users are intentionally not used for automation.
JWT bearer auth with per-tenant signing keys. Short-lived Salesforce access tokens live in memory only and are never written to the database.
Every read/write carries a tenant_id predicate, enforced by FK constraints and a dedicated cross-tenant test suite, with RLS policies rolling out as a backstop.
TLS in transit; encryption at rest on database rows, storage objects, and secrets. The database has no public IP — reachable only via a private socket.
HttpOnly signed session cookies, idle + absolute timeouts, instant revocation on logout, and a recent-auth gate for sensitive actions.
Runs produce screenshots, video, and timelines. Because these capture a live Salesforce session, they can contain on-screen business data — so we treat them accordingly.
| Data | Default retention | Hard ceiling |
|---|---|---|
| Screenshots, video, HTML reports | 7 days | 90 days (bucket lifecycle) |
| Run records & metadata | Deleted with their artifacts | 90 days |
| Artifact download URLs | 15-minute signed expiry | — |
| Salesforce access tokens | In-memory only (never written) | — |
We'd rather over-explain the boundary than over-promise the posture.
Plan a pilot →